Re: Configuration management of BIND .conf

On Tue, Sep 24, 2024 at 7:24 PM John Thurston wrote: > I'm looking for your ideas. What works? What doesn't work? > > Are you leveraging your existing configuration management tools (e.g. > Puppet, Ansible, Chef)? > For OARC's name servers (significantly simpler than yours, but once you're talkin

Re: Configuration management of BIND .conf

Our 'special' zone definitions are less than 10kb (at the moment), so the 64kb limit isn't an issue. And if it ever is, it can be broken up into several 'included' .conf files. The 255-character string limit isn't a problem with base64: base64 -w 250 special.conf | sed 's/^/"/;s/$/"/' | tr -d

Re: Configuration management of BIND .conf

Are you leveraging your existing configuration management tools (e.g. Puppet, Ansible, Chef)? Ansible (my choice of poison) works well for this type of situation I find, particularly because a lot of work can be done via Jinja templating. This trivial example hopefully illustrates what I mean:

RE: Configuration advice for a post-8020 world

> -Original Message- > From: Mark Andrews [mailto:ma...@isc.org] > > Named does not check that a parent zone has NS records for a child > zone on the same server. Always add delegating NS records. > > As for ENT returning NXDOMAIN. Early versions of the specifications > of DNSSEC said the

Re: Configuration advice for a post-8020 world

Named does not check that a parent zone has NS records for a child zone on the same server. Always add delegating NS records. As for ENT returning NXDOMAIN. Early versions of the specifications of DNSSEC said there were no NAMES, rather than NAMES with RECORDS, between names in a DNSSEC sorted

RE: Configuration advice for a post-8020 world

> -Original Message- > From: Woodworth, John R > -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil > Mayers > > > > On 12/02/2017 11:09, Woodworth, John R wrote: > > > > > SAMPLE ZONES: > > > 101{redacted}.com. (REAL ZON

RE: Configuration advice for a post-8020 world

-Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil Mayers > > On 12/02/2017 11:09, Woodworth, John R wrote: > > > SAMPLE ZONES: > > 101{redacted}.com. (REAL ZONE FILE) > > jwjw.sales.101{redacted}.com. (REAL ZONE FILE) > > You ar

Re: Configuration advice for a post-8020 world

On 12/02/2017 11:09, Woodworth, John R wrote: SAMPLE ZONES: 101{redacted}.com. (REAL ZONE FILE) jwjw.sales.101{redacted}.com. (REAL ZONE FILE) You are missing the glue NS records in the parent zone (just verified by local test of the before/after case). You need: jwjw.sales.1

Re: configuration error in lists.isc.org

On 2015-08-13 21:14, Mark Andrews wrote: In message <94ac3fe7e1948b9c0ce80a78f8a59...@lhaven.homeip.net>, "Lawrence K. C hen, P.Eng." writes: Earlier today had a request to add another entry...didn't notice that how close the string was to 255? characters. You just use multiple fields if ther

Re: configuration error in lists.isc.org

In message , Steven Carr writes: > On 14 August 2015 at 03:14, Mark Andrews wrote: > > You just use multiple fields if there isn't space. The field are > > concatenated together with no space to produce the full SPF entry. > > > > e.g. "ab" "cd" -> "abcd" > > How does BIND know which o

Re: configuration error in lists.isc.org

On 14 August 2015 at 03:14, Mark Andrews wrote: > You just use multiple fields if there isn't space. The field are > concatenated together with no space to produce the full SPF entry. > > e.g. "ab" "cd" -> "abcd" How does BIND know which order to send the TXT records in so that they can

Re: configuration error in lists.isc.org

In message <94ac3fe7e1948b9c0ce80a78f8a59...@lhaven.homeip.net>, "Lawrence K. C hen, P.Eng." writes: > Earlier today had a request to add another entry...didn't notice that how > close the string was to 255? characters. You just use multiple fields if there isn't space. The field are concatenat

Re: configuration error in lists.isc.org

On 2015-08-13 18:47, Reindl Harald wrote: Am 13.08.2015 um 23:15 schrieb Lawrence K. Chen, P.Eng.: On 2015-08-10 17:12, Reindl Harald wrote: well, when you can't say from where you send mail you should refrain from setup SPF at all Except there are external forces that demand an SPF, and that

Re: configuration error in lists.isc.org

Am 13.08.2015 um 23:15 schrieb Lawrence K. Chen, P.Eng.: On 2015-08-10 17:12, Reindl Harald wrote: well, when you can't say from where you send mail you should refrain from setup SPF at all Except there are external forces that demand an SPF, and that it contain specific strings at all times

Re: configuration error in lists.isc.org

On 2015-08-10 17:12, Reindl Harald wrote: truncated the long, hard to understand and unrelated stuff Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.: that above is pure nonsense - your DOMAIN has either a strict SPF policy - or a testing policy ~ and no mix of both ~ means "testi

Re: configuration error in lists.isc.org

On 11/08/2015 07:59, Lawrence K. Chen, P.Eng. wrote: > On 2015-08-10 16:49, Lawrence K. Chen, P.Eng. wrote: > >> Though I realize my error not recalling that there is a middle (neutral) >> level, and which is more appropriate, since softfail is somewhere between >> fail and neutral which is

Re: configuration error in lists.isc.org

BTW: your SPF is completly broken http://www.openspf.org/Why?s=mfrom;id=lkc...@ksu.edu;ip=54.200.129.228 The domain outbound._spf.mailhop.org has published an SPF policy, however, an error occurred while the receiving mail server tried to evaluate the policy: Missing required IPv4 address in

Re: configuration error in lists.isc.org

truncated the long, hard to understand and unrelated stuff Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.: that above is pure nonsense - your DOMAIN has either a strict SPF policy - or a testing policy ~ and no mix of both ~ means "testing, please don't reject if it don't pass" and

Re: configuration error in lists.isc.org

On 2015-08-10 16:49, Lawrence K. Chen, P.Eng. wrote: Though I realize my error not recalling that there is a middle (neutral) level, and which is more appropriate, since softfail is somewhere between fail and neutral which is not where I had intended the servers to be. Went to fix it, only to

Re: configuration error in lists.isc.org

On 2015-08-07 22:23, Reindl Harald wrote: Am 08.08.2015 um 05:13 schrieb Lawrence K. Chen, P.Eng.: So, when we were with this provider, our SPF had exclusive pool as good, but included the other pool prefixed with '~' can we stop that foolish discussion on the named list? How about an unna

Re: configuration error in lists.isc.org

Am 08.08.2015 um 05:13 schrieb Lawrence K. Chen, P.Eng.: So, when we were with this provider, our SPF had exclusive pool as good, but included the other pool prefixed with '~' can we stop that foolish discussion on the named list? that above is pure nonsense - your DOMAIN has either a strict

Re: configuration error in lists.isc.org

On 2015-08-07 07:34, wbr...@e1b.org wrote: > From: "Lawrence K. Chen, P.Eng." > >> OTOH, we have caved on adding systems that aren't 'ours'...though how much >> of >> Office365 is actually 'ours'but I think we currently have a couple >> includes for mass emailing solutions or our surv

Re: [OT] Re: configuration error in lists.isc.org

On 08/08/2015 01:23, Heiko Richter wrote: > The "spf2.0/pra ?all" is SenderID, where "pra" forces the DMARC server > to check only the Envelope-Sender against "v=spf1 mx -all". If you > don't set that, SPF will always check both Envelope-From and Header-From. > >> Note that it's the SenderID

Re: [OT] Re: configuration error in lists.isc.org

Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas: SPF must only check envelope address, not header From: address - it was never designed to do the latter. On 07.08.15 17:23, Heiko Richter wrote: Correction: - All implementations of SPF always check 2 addresses: - Envelope-Fr

Re: [OT] Re: configuration error in lists.isc.org

On Fri, Aug 7, 2015 at 11:23 AM, Heiko Richter wrote: > Correction: > - > All implementations of SPF always check 2 addresses: > - Envelope-From address > - From address > > SPF will fail whenever the client is not authorized to send for either > the Envelope-From address or the

Re: [OT] Re: configuration error in lists.isc.org

Am 07.08.2015 um 17:23 schrieb Heiko Richter: Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas: On Aug 6, 2015, at 4:25 PM, Heiko Richter mailto:em...@heikorichter.name>> wrote: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.

Re: configuration error in lists.isc.org

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 08:03 schrieb Lawrence K. Chen, P.Eng.: > In looking through the received headers I see that there's no SPF > for lists.isc.org Wether or not lists.isc.org was never in question. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.2

Re: [OT] Re: configuration error in lists.isc.org

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas: >>> On Aug 6, 2015, at 4:25 PM, Heiko Richter >>> mailto:em...@heikorichter.name>> >>> wrote: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post

Re: configuration error in lists.isc.org

On Fri, Aug 7, 2015 at 2:57 AM, Reindl Harald wrote: > > Am 07.08.2015 um 01:25 schrieb Heiko Richter: > >> So ISC: please fix your list servers, let them rewrite the From headers! >> > > please try to understand the topic before blaming! > http://wiki.list.org/DEV/DMARC > > * SPF is about envelo

Re: [OT] Re: configuration error in lists.isc.org

On 07/08/15 02:03, Charles Swiger wrote: >> So ISC: please fix your list servers, let them rewrite the From headers! > > How would this help? Changing the From header breaks your domain's DKIM > signing; are you asking them to take ownership of your messages and then DKIM > sign > them on beha

Re: configuration error in lists.isc.org

Am 07.08.2015 um 01:25 schrieb Heiko Richter: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.dns.bind), my postmaster address receives DMARC notifications from list members that have employed this wonderful protocol on their servers

Re: [OT] Re: configuration error in lists.isc.org

On Aug 6, 2015, at 4:25 PM, Heiko Richter mailto:em...@heikorichter.name>> wrote: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.dns.bind), my postmaster address receives DMARC notifications from list members that have employed this

Re: configuration error in lists.isc.org

On 2015-08-06 19:00, /dev/rob0 wrote: My SPF record doesn't include lists.ist.org, of course and it never will. Furthermore it ends with "-all" so all my messages to the list are being rejected by list members who have spf aware servers. No, GNU Mailman (which is the software behind lists.i

Re: [OT] Re: configuration error in lists.isc.org

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 02:03 schrieb Charles Swiger: > On Aug 6, 2015, at 4:25 PM, Heiko Richter > wrote: >> Whenever I post something to the list (I'm not using SMTP, I'm >> using a usenet server to post to comp.protocols.dn

[OT] Re: configuration error in lists.isc.org

On Aug 6, 2015, at 4:25 PM, Heiko Richter wrote: > Whenever I post something to the list (I'm not using SMTP, I'm using a > usenet server to post to comp.protocols.dns.bind), my postmaster > address receives DMARC notifications from list members that have > employed this wonderful protocol on thei

Re: configuration error in lists.isc.org

On Fri, Aug 07, 2015 at 01:25:37AM +0200, Heiko Richter wrote: > Nothing concerning Bind, but still relevant to all list users: > > Just wanted to let you all know about a configuration error on > lists.isc.org. It doesn't rewrite any email headers, only reflects > incoming messages to all list me

Re: Configuration - Two queries

On 02/02/2015 10:40 AM, LuKreme wrote: That will not help if the FIRST connection is hitting a tar-pit. I don't know if you found a satisfactory answer or not. Her's what I would try with a pair of Bind ""servers (daemons). Configure your first ""server to "forward first" to your second ""s

Re: Configuration

LuKreme wrote: > On Feb 2, 2015, at 4:02 AM, Tony Finch wrote: > > wu shuangrong wrote: > >> > >> I'd like to configure BIND in such way that when it failed to get result > >> for > >> the first time, it'll query for the second time. > > > > Try adjusting resolver-query-timeout. > > That will n

Re: Configuration

On Feb 2, 2015, at 4:02 AM, Tony Finch wrote: > wu shuangrong wrote: >> >> I'd like to configure BIND in such way that when it failed to get result for >> the first time, it'll query for the second time. > > Try adjusting resolver-query-timeout. That will not help if the FIRST connection is hi

Re: Configuration

wu shuangrong wrote: > > I'd like to configure BIND in such way that when it failed to get result for > the first time, it'll query for the second time. Try adjusting resolver-query-timeout. Tony. -- f.anthony.n.finchhttp://dotat.at/ East Sole, Lundy, Fastnet: Mainly northerly or northeaste

RE: Configuration RPZ using BIND RPM package

> Is it possible in configure RPZ by download Bind.tar.gz file from isc > website. if yes, do i need to remove completely all running configuration > including /etc/named.rfc1912.zones and /etc/named.caching-nameserver.conf > files? Kindly suggest. Regards Babu Babu: While I am an Ubuntu user,

Re: Configuration for "hostname.bind."

In message , Chris Hills writes: > On 15/06/09 11:29, Andrey G. Sergeev (AKA Andris) wrote: > > There is no need for _any_ patch to use the built-in functionality. > > The patch makes queries for "id.server. ch txt" report the value set by > the version option /by default/ without any additional

Re: Configuration for "hostname.bind."

On 15/06/09 11:29, Andrey G. Sergeev (AKA Andris) wrote: There is no need for _any_ patch to use the built-in functionality. The patch makes queries for "id.server. ch txt" report the value set by the version option /by default/ without any additional configuration. Regards, Chris ___

Re: Configuration for "hostname.bind."

Greetings Chris, Sun, 14 Jun 2009 12:01:50 +0200 Chris Hills wrote: On 13/06/09 16:23, Andrey G. Sergeev (AKA Andris) wrote: Also, is it possible to configure BIND to respond on version.server. chaos txt and id.server. chaos txt in the same manner as version.bind. and hostname.bind. (i.e. aut

Re: Configuration for "hostname.bind."

On 13/06/09 16:23, Andrey G. Sergeev (AKA Andris) wrote: Also, is it possible to configure BIND to respond on version.server. chaos txt and id.server. chaos txt in the same manner as version.bind. and hostname.bind. (i.e. automatically without requiring a separate zone file)? options { server-i

Re: Configuration for "hostname.bind."

On 13/06/09 16:23, Andrey G. Sergeev (AKA Andris) wrote: Greetings, Sat, 13 Jun 2009 11:08:53 +0200 Chris Hills wrote: One can change the response to "version.bind. chaos txt" using the configuration directive "version". Is there an equivalent configuration directive for "hostname.bind. chaos

Re: Configuration for "hostname.bind."

Greetings, Sat, 13 Jun 2009 11:08:53 +0200 Chris Hills wrote: One can change the response to "version.bind. chaos txt" using the configuration directive "version". Is there an equivalent configuration directive for "hostname.bind. chaos txt"? Sure: options { hostname "any_text"; };

Re: Configuration for "hostname.bind."

On 13/06/09 11:39, Chris Hills wrote: /etc/named.conf:160: zone 'bind': class 'CHAOS' does not match view/default class /etc/named.conf:165: zone 'server': class 'CHAOS' does not match view/default class I resolved this by switching to a view configuration, i.e.:- view "external-chaos" chaos {

Re: Configuration for "hostname.bind."

On 13/06/09 11:08, Chris Hills wrote: Hi One can change the response to "version.bind. chaos txt" using the configuration directive "version". Is there an equivalent configuration directive for "hostname.bind. chaos txt"? Also, is it possible to configure BIND to respond on version.server. chao